VYPR
← All malware advisories

npm · Malicious package advisory

Malware

sheratan_haha

MAL-2026-5739

Malicious code in sheratan_haha (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (6b473b40e0c041d34e85161ed8c91e0e00d006a0822698a0d3994876cb685ddd)
On `npm install`, the package's declared postinstall hook (`node postinstall.js`) runs `whoami` on the installer's machine and POSTs the output to a hardcoded webhook.site endpoint (`https://webhook.site/0ea9eb45-3ede-4cf0-9ea9-2b8d700272e7`) via `https.request`. The package advertises itself as 'A simple date formatting utility' but ships no library code consistent with that purpose — the only behavior on install is host fingerprinting and exfiltration to an attacker-controlled URL. Metadata is placeholder-shaped (empty author, generic description, name `sheratan_haha`), consistent with a dependency-confusion / recon PoC. Installing this package leaks the installer's OS username to an external endpoint controlled by the publisher.

Compromised versions (2)

  • 1.0.1
  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.